December 22, 2024

Archives for March 2003

Needlepoint Piracy: An Exclusive Interview!

Here at Freedom to Tinker, we are relentless in our quest to bring you the finest in pseudo-journalism. And so when Frank Field lifted the lid on needlepoint piracy, our staff sprang into action to bring you an exclusive newsmaker interview with the ultimate insider source on this story, a source who was President of the authoritative American Needlepoint Guild (ANG) at the time the story first broke. This source, reached at an undisclosed location in the southwestern United States, will be identified only as “my mother.”

She writes:

The active needlepointers are generally members of [ANG] and its chapters. One of the things stressed on our [i.e., ANG’s] mail list (with more than 1200 needlepointers – not all members – but all active including designers, stitchers, shop owners, etc.), in our every other month magazine for members, with our chapters in their rules and regulations, and other places where we can – [is] that needlepoint charts and other materials from books, etc. can be copied only for your own personal use. They cannot be swapped.

[…]

Anyway, this article came out when I was President of ANG (at the end of my term) and caused quite a lot of discussion. [Swapping] is, and has always been, a problem – just think it may be among a wider group than previously because of the Internet. But among heavy users of patterns, I would suggest it is not commonly done. At least among the people I know, everyone is concerned about the decline in the number of stores selling these kinds of materials making it much more difficult to find patterns. For most people, attending a national seminar where a large store is available, or purchasing things by mail order or more likely on line, is what is happening now in the industry. Because we are trying to support the outlets still available for material, plus the manufacturers, many people are almost fanatics [about respecting copyright].

I would suggest that the decline in pattern sales for [some publishers] may be [because] there are fewer stores that carry their materials, and perhaps their patterns are not of such interest when you have no way to see the pattern in person.

DRM, and the First Rule of Security Analysis

When I teach Information Security, the first lecture is dedicated to the basics of security analysis. And the first rule of security analysis is this: understand your threat model. Experience teaches that if you don’t have a clear threat model – a clear idea of what you are trying to prevent and what technical capabilities your adversaries have – then you won’t be able to think analytically about how to proceed. The threat model is the starting point of any security analysis.

Advocates of DRM (technology that restricts copying and usage) often fail to get their threat model straight. And as Derek Slater observes, this leads to incoherent rhetoric, and incoherent action.

If you’re a copyright owner, you have two threat models to choose from. The first, which I’ll call the Napsterization model, assumes that there are many people, some of them technically skilled, who want to redistribute your work via peer-to-peer networks; and it assumes further that once your content appears on a p2p network, there is no stopping these people from infringing. The second threat model, which I’ll call the casual-copying model, assumes that you are worried about widespread, but small-scale and unorganized, copying among small groups of ordinary consumers.

If you choose the Napsterization threat model, then you fail if even one of your customers can defeat your DRM technology, because that one customer will inject your content into a p2p network and all will be lost. So if this is your model, your DRM technology must be strong enough to stymie even the most clever and determined adversary.

If you choose the casual-copying threat model, then it’s enough for your DRM technology to frustrate most would-be infringers, most of the time. If a few people can defeat your DRM, that’s not the end of the world, because you have chosen not to worry about widespread redistribution of any one infringing copy.

Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model – they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don’t solve the problem they complain about.

If you’re a DRM advocate, the first rule of security analysis says that you have to choose a threat model, and stick to it. Either you choose the Napsterization model, and accept that your technology must be utterly bulletproof; or you choose the casual-copying model, and accept that you will not prevent Napsterization. You can’t have it both ways.

DRM in Cell Phones?

Elisa Batista at Wired News reports on the Cellular Telecommunications and Internet Association (CTIA) trade show. Rep. Billy Tauzin gave his perspective in a speech:

But Tauzin did offer [CTIA CEO Tom] Wheeler some advice in order to avoid more regulation: Have the industry clean up its act. If it doesn’t want to be hit by legislation, it should improve cell-phone coverage, roll out enhanced 911 service in a timely fashion so that anyone who dials 911 on a cell phone can get help immediately, and build a mechanism to protect content from piracy over wireless devices, he said.

That’s right, folks – DRM for cell phones.

(Thanks to Mark Seecof for the link.)

DRM and the Regulatory Ratchet

Regular readers know that one of my running themes is the harm caused when policy makers don’t engage with technical realities. One of the most striking examples of this has to do with DRM (or copy-restriction) technologies. Independent technical experts agree almost universally that DRM is utterly unable to prevent the leakage of copyrighted material onto file sharing networks. And yet many policy-makers act as if DRM is the solution to the file-sharing problem.

The result is a kind of regulatory ratchet effect. When DRM seems not to be working, perhaps it can be rescued by imposing a few regulations on technology (think: DMCA). When somehow, despite the new regulations, DRM still isn’t working, perhaps what is needed is a few more regulations to backstop it further (think: broadcast flag). When even these expanded regulations prove insufficient, the answer is yet another layer of regulations (think: consensus watermark). The level of regulation ratchets up higher and higher – but DRM still doesn?t work.

The advocates of regulation argue at each point that just one more level of regulation will solve the problem. In a rational world, the fact that they were wrong last time would be reason to doubt them this time. But if you simply take on faith that DRM can prevent infringement, the failure of each step becomes, perversely, evidence that the next step is needed. And so the ratchet clicks along, restricting technical progress more and more, while copyright infringement goes on unabated.

Online Porn and Bad Science

Declan McCullagh reports
on yesterday’s House Government Reform Committee hearings on porn and
peer-to-peer systems. (I’m sure there is some porn on these systems,
as there is in every place where large groups of people gather.)
There’s plenty to chew on in the story; Frank Field says it “sounds
like a nasty meeting.”

But I want to focus on the factual claims made by one witness. Declan writes:

Randy Saaf, president of P2P-tracking firm MediaDefender, said his
investigations of child pornography on P2P networks found over 321,000
files “that appeared to be child pornography by their names and file
types,” and said that “over 800 universities had files on their
networks that appeared to be child pornography.”

But MediaDefender, and one of the government studies released on
Thursday, reviewed only the file names and not the actual contents of
the image files. A similar approach used in a 1995 article [i.e., the
now-notorious Rimm study – EWF] that appeared in the Georgetown
University law journal drew strong criticism from academics for having
a flawed methodology that led to incorrect estimates of the amount of
pornography on the Internet.

Characterizing a file as porn based on its name alone is obviously
lame, if your goal is to make an accurate estimate of how much porn is
out there. (And that is the goal, isn’t it?)

It’s no excuse to say that it’s infeasible to sample 321,000 files
by hand to see if they are really porn. Because if you actually care
whether 321,000 is even close to correct, you can examine a small
random sample of the files. If you sample, say, ten randomly chosen
files and only five of them are really porn, then you can be pretty
sure that 321,000 is far wrong. There’s no excuse for not doing this,
if your goal is to give the most accurate testimony to Congress.

UPDATE (8:30 AM, March 18): According to a Dawn Chmielewski story at the San Jose Mercury News, a government study found that 42% of files found on Kazaa via “search terms known to be associated with child porn” were actually child porn.